Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: update vulnerable axios and unpin dependencies #1051

Open
CHC383 opened this issue Mar 29, 2025 · 0 comments
Open

bug: update vulnerable axios and unpin dependencies #1051

CHC383 opened this issue Mar 29, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@CHC383
Copy link

CHC383 commented Mar 29, 2025

Node.js version

22.14.0

NPM version

pnpm 10.7.0

@checkly/cli version

5.1.0

Steps to reproduce

Checkly CLI uses axios 1.74, which is subjected to GHSA-jr5f-v2jv-69x6

What is expected?

Axios >= 1.8.2

What is actually happening?

Axios == 1.7.4

Any additional comments?

Checkly CLI is using pin versions, as a library, this leads to the problems described in resend/react-email#2026 on the consumer side. Suggestions would be:

  1. (easier) Unpin the dependencies and use caret range instead.
  2. (better) If pin versions is necessary, decouple the code imported by the consumers to a separate library, minimize the dependencies and use caret ranges there, then ask the consumers to import the new library instead. As for the CLI use cases (CI/CD for example), ask the consumers to install the CLI separately instead of adding it to package.json, so that its dependencies won't interfere with the consumers' dependencies.
@CHC383 CHC383 added the bug Something isn't working label Mar 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@CHC383